The context

Talend Administration Console (TAC) is a central point of control for your Talend Data Integration architecture. If the authorized users access TAC from the Internet or a non-secured network, a sniffing attack is possible. Therefore, securing the communication between the browser and TAC may become a requirement for your company.

When configuring HTTPS port on a tomcat instance hosting TAC, the logging menu is no longer able to display the statistics on log events.

At best, the browser displays the error message:

Mixed Content: The page at 'https://<TAC_URL>:<TAC_PORT_SSL>/kibana/' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint 'http://<LOGSERVER_HOSTNAME:9200/_nodes'.
This request has been blocked; the content must be served over HTTPS.

At worst, you have a black page and nothing else:

First question: What is mixed content ?

"When a user visits a page served over HTTPS, their connection with the web server is encrypted with TLS and is therefore safeguarded from sniffers and man-in-the-middle attacks. If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted; the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, so the connection is not safeguarded. When a web page exhibits this behavior, it is called a mixed content page."

So when selecting a "logging" link on the TAC page, the browser is redirected to an HTTP URL, which is seen as a security flaw. Tweaking the browser may come into our mind, but changing anything on the client side means propagating the change on any browser of any potential end-users...forget it.

The browser is sent to collect data from the Logserver by Kibana. As the Logserver is using HTTP, the web browser is not surprising, you are trying to access unsecured content within secured content. So, the solution will come from securing the Logserver?

Tomcat Keystore

As you may know, Tomcat is not using certificate and key files but a Java keystore to store its private key, certificates, and trusted certificates. Here are the steps to create a Java keystore with the certificate and key you created in the previous step:

Then you need to change the file /etc/apache2/sites-enabled/default-ssl.conf to reflect the usage of the certificate and also the redirection to the Logserver. (As always, before modifying anything, keep a copy of this file somewhere else.)

In this example, you will use the URL https://tld621:443/elk to redirect to the Logserver. In the future this proxy server may be configured to proxy other resources using other URIs.